Run Mintmaker DependencyUpdateCheck cronjobs as non-root (attempt #2) #5894
Conversation
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: querti The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
!!!!!!!! DO NOT MERGE !!!!!!!! I believe the reason #5868 failed is because it was prematurely merged before new SCC introduced by konflux-ci/mintmaker#222 could be applied. |
Could you change it in staging first? It should be possible to add a patch in |
…hat-appstudio#2) Mintmaker SA has been granted the anyuid SCC becuase it needs to run its subscription-manager pod as root[1]. A side effect is that now it tries to run all of its pods as root by default. This is not secure and also conflicts with the setting runAsNonRoot: true, resulting in failing jobs. Explicitly run these cronjobs as a non-root user. This commit should be merged at the same time as [1], otherwise the created jobs will fail with an error. Without the anyuid SCC, pods cannot have arbitrary UIDs - they must be selected from the allowed range. Each namespace has its own range and it is chosen arbitrarily. This means that mintmaker namespace in each cluster has a different allowed UID range. Explicitly setting the UID will cause an error - at least in some clusters. Having anyuid SCC solves this as any UID that doesn't have to adhere to the predefined UID range can be chosen. Merging this commit after [1] will cause these cronjob pods to be created as a root user, which is not allowed as per the defined security context. [1] konflux-ci/mintmaker#222
querti
force-pushed
the
mintmaker-run-cronjob-as-nonroot-#2
branch
from
4dc60ee to
c6cface
Compare
That's a good idea, I changed it to only modify the cronjobs in stage. Though I think for maximum safety, this patch should be a part of the "promote to stage" PR. |
Nice, you can amend the promote PR to include this commit before we're ready to deploy to stage, (then close this one). |
Mintmaker SA has been granted the anyuid SCC becuase it needs to run its subscription-manager pod as root[1]. A side effect is that now it tries to run all of its pods as root by default. This is not secure and also conflicts with the setting runAsNonRoot: true, resulting in failing jobs. Explicitly run these cronjobs as a non-root user.
This commit should be merged at the same time as [1], otherwise the created jobs will fail with an error. Without the anyuid SCC, pods cannot have arbitrary UIDs - they must be selected from the allowed range. Each namespace has its own range and it is chosen arbitrarily. This means that mintmaker namespace in each cluster has a different allowed UID range. Explicitly setting the UID will cause an error - at least in some clusters. Having anyuid SCC solves this as any UID that doesn't have to adhere to the predefined UID range can be chosen.
Merging this commit after [1] will cause these cronjob pods to be created as a root user, which is not allowed as per the defined security context.
[1] konflux-ci/mintmaker#222
Refers to CLOUDDST-26090